1

我正在尝试创建以下策略,以授予对我的一个任务定义 (ECS) 的 Amazon S3 的完全访问权限。这是我正在使用的地形代码:

data "aws_iam_policy_document" "inline_policy_s3" {
  version = "2012-10-17"
  statement {
    sid       = ""
    actions   = ["sts:AssumeRole", "s3:*"]
    effect    = "Allow"
    resources = ["*"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "task_role" {
  name               = "ecs_service_task_role"
  assume_role_policy = data.aws_iam_policy_document.inline_policy_s3.json
}

问题是我在运行时收到此错误terraform apply

╷
│ Error: Error creating IAM Role ecs_service_task_role: MalformedPolicyDocument: Has prohibited field Resource
│       status code: 400, request id: 25afe8f8-cc66-4533-8f66-9a1f2aeb656b
│ 
│   with module.service.aws_iam_role.task_role,
│   on service/task_role_policy.tf line 16, in resource "aws_iam_role" "task_role":
│   16: resource "aws_iam_role" "task_role" {
│ 
╵

我尝试更改策略的某些属性,但找不到问题。知道发生了什么吗?

4

1 回答 1

2

推力策略没有 resources不能拥有sts:AssumeRole. 所以应该是:

data "aws_iam_policy_document" "inline_policy_s3" {
  version = "2012-10-17"
  statement {
    sid       = ""
    actions   = ["sts:AssumeRole"]
    effect    = "Allow"

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

对于您的 s3 权限,您需要通过例如inline_policy创建它们。

于 2021-08-14T11:08:25.250 回答